High energy costs and concerns over the stability and capacity of electric grids are leading businesses to evaluate and implement their own onsite energy generation systems. These onsite systems, referred to as distributed energy resources (DERs), are most commonly solar panel arrays, often paired with batteries to store energy for later use.
DERs are usually connected to the grid so that business can sell electricity they don’t use to the utilities. They might also connect with an organization’s internal systems and third parties that monitor and manage the DER.
This connectivity creates new points of vulnerability that organizations must take into account when assessing risk. Potential risks range from disrupting a single DER to compromising the electrical grid itself.
A key component of solar DERs is the smart inverter, which connects to the electrical grid but is not owned by the utility. Inverters manage the flow of energy to and from the DER and the electrical grid. They sense grid conditions and communicate with the electric utility, so they play a key role in power availability, safety and grid stability.
Smart inverters are internet of things (IoT) devices that typically access cloud-based monitoring and management services. This connectivity exposes smart inverters to cyber threats and increases the need for effective device cybersecurity that ensures continued safe and reliable operation.
While voluntary DER security best practices and frameworks exist, there are no industry-accepted standards. “Unlike traditional utility-scale power generation, DER security is still evolving with varying degrees of compliance across industries,” says Heath Jeppson, senior cybersecurity consultant at Stanley Consultants.
“Securing our solar systems is a generational opportunity to get our future energy infrastructure right. If we fail at it, it will be like the internet all over again, where speed of deployment trumped security concerns, resulting in an internet riddled with security flaws that plague us to this day.,” says Uri Sadot, cybersecurity program director at SolarEdge, which develops smart inverters.
Why solar inverters are vulnerable
The smart inverter vulnerability story is the same as for many IoT devices. Cost and speed to market take priority over security. “Over the five past years, it’s been a race to the bottom for price. There was a period where inverters competed over yield and conversion efficiency, but they are steadily becoming a commodity,” says Sadot. One result of that cost cutting is poor cyber standards, such as 12345678 or psw1111 being the default password for an entire category of products. “The installer never replaces the password, so [attackers] can just connect over the internet.”
The volume of solar and battery installations, each with multiple inverters, makes them an attractive target to attackers. “Just in the US there are more than 5 million [solar systems] in play, and that expands the attack surface exponentially,” says Thomas Tansy, CEO of DER Security Corp. and chairman of the SunSpec Alliance, which defines standards for DER cybersecurity. A DER Security white paper that lists all known solar DER vulnerabilities and attacks since 2012, including the 2024 attack that hijacked hundreds of inverters as part of a botnet, illustrates the scale at which cyber adversaries might exploit them.
For some companies, especially small- to medium-sized businesses (SMBs), ownership of DER security might not be assigned or with the right people. “When you talk to a Fortune 100 company, they know their game,” says Sadot. “They have cyber people who are very proficient; they have energy people who are very proficient.”
SMBs that take a methodical approach to their DER projects with multi-year plans are more likely to assign security tasks to a security team or a capable IT team. Security might not be much of a consideration for one-off solar projects, especially at smaller scale. The size of the solar project doesn’t matter because the vulnerabilities remain the same as could the risks depending on what the solar array connects to.
Smart inverters are managed through a control panel, and most commercial solar installations also connect to online management software. A business might outsource management of the solar systems to a third party. The control panel, management software, and third-party networks are all potential points of entry for an attacker.
For example, researchers Wietse Boonstra and Hidde Smit at WBSec and volunteers at the Dutch Institute of Vulnerability Disclosure (DIVD) found a vulnerability in the Enphase IQ Gateway in 2024. Enphase is one of the largest vendors of smart inverters for residential and commercial solar installations, and IQ gateway is its monitoring and management software.
Boonstra had earlier found and reported a vulnerability in the Enphase Envoy software that supported his home solar array. The company had already addressed it, but he later found a US Cybersecurity and Infrastructure Security Agency (CISA) advisory for another Enphase Envoy vulnerability that inspired him to dig deeper. That led to his discovery of six zero-day vulnerabilities in the Enphase IQ Gateway and its inverters, which the company quickly resolved and rolled out updates to customers.
“I found three vulnerabilities, and by linking them together, I could get remote code execution. That’s on the Enphase inverter,” says Boonstra. Then he turned his attention to the Enphase IQ Gateway where he found a flaw that allowed him to take over all the Enphase inverters connected to the internet. “And that was quicker than spending all the time looking for remote code execution.”
“It’s like the whole Kaseya story again. It’s like a supply chain attack,” says Boonstra, who earlier discovered zero-day vulnerabilities in the Kaseya VSA remote software management tool. “If I can upload new firmware or my software to your device and it is connected to your company network, then that’s my entry or backdoor into your network.”
That flaw could have allowed an attacker to access more than 4 million devices in 150 countries. Taking that much solar capacity offline could cause significant disruption in the electric grids in many regions. Last year, Bitdefender researchers found similar vulnerabilities in the management platforms of Solarman and Deye, two Chinese vendors.
Solar arrays are commonly connected to battery systems that store energy for use when the sun doesn’t shine. The batteries might also come with their own control systems and software. Sadot points out that smaller battery units will be subordinate to the solar inverters and shielded from the internet. Larger, container-sized batteries, however, have their own independent internet connection.
On a positive note, solar inverter manufacturers are starting to up their security game. “I don’t think it’s too surprising that in [the US], the two companies that have run away with the rooftop solar market, Enphase and SolarEdge, feature cybersecurity very prominently in terms of their overall value proposition,” says Tansy. The SunSpec Alliance, which Tansy chairs, is working with the solar DER industry to establish security baselines.
Smart inverter vulnerabilities threaten the electric grid
The biggest risk occurs during high-demand times. If enough solar DERs suddenly go offline during a critical period, there might not be adequate alternative energy sources that can come online immediately, or the available alternatives are much more expensive to operate. Attackers can produce similar results merely by changing the data that DERs send to utilities. Tansy offers the example of making a 10-kW array appear as a 1-megawatt (mW) system to the utility. If the utility tries to draw more capacity than is available from one or more solar DERs in a time of need, service quality will suffer and brownouts might occur.
“Solar arrays are pretty simple in their operation, but they’re complicated in their management,” says Gregory Pollmann, principal industrial threat hunter at Dragos. “You have to manage battery assets. You have to manage the solar arrays themselves. And both of those things are usually integrated into the building automation management system that is located within that organization.”
DERs connect to the grid to sell over-generation to the utility. “Usually there’s an observation connection from the public utility, and there’s also a management connection from the organization that actually owns the asset,” says Pollmann. “Theoretically, if those things were compromised, an adversary may have access to the power generation asset that’s owned by the organization or could possibly swim upstream to public utility assets.”
“Therein lies the risk that’s magnified when you’re talking about the proliferation of devices,” Pollmann adds. “If a public utility provider has 100,000 customers in a region and 5% are installing DERs, that’s 5,000 connections, and that’s 5,000 devices. And all of a sudden, the attack surfaces to both the organizations that are installing the DERs and possibly the public utility are expanded at an alarming rate.”
That said, Pollmann believes it would be difficult for an adversary to create a widespread power outage by exploiting DERs. “Each one of those connections are at an individual level on the DER side,” he says. “On the public utility side, that may be as possible, because the public utility represents the many to few relationship to all those DER assets. I think an adversary with means, with intent, would just go after the public utility and not spend time on individual compromise of DER assets.”
Utilities bench-test network and physical assets before bringing them online, says Pollmann, to ensure they meet certain levels of cybersecurity and physical security objectives. With DERs, they rely on the product to meet a rigorous manufacturing standard. “There’s some concern from the utility side that none of those things can be validated from their position.”
Nation-state adversaries are just as likely to leverage solar DERs to disrupt the grid as cybercriminals, says Tansy. In fact, it happened last year when the Russian-backed group Just Evil attacked Lithuania’s state energy holding company Ignitis Group through its solar monitoring system. “[Solar DERs] are a good way for a well-heeled adversarial nation-state to find a way into the overall grid,” he says.
“We are in the middle of intensifying global competition among superpowers, specifically players like China, Russia, and their surrogates in the United States,” says Tansy. “And we have an electrical grid that is overwhelmingly supplied by product that comes straight from mainland China. These are the solar inverters and the battery inverters; they are software driven. When the software needs to change, as often as not, it’s being changed and updated from a control system based in Beijing. That’s about as simple and plain as I can put it.”
Best practices for securing solar DERs
Too often when companies plan their solar DER projects, “cybersecurity just doesn’t come up,” says Tansy. “[The energy sector] is 100% regulation driven. If there’s not a rule that you need to have a security program in place, you’re not going to get one.”
Several organizations have developed DER security best practices and frameworks. They include:
- NIST IR 8498, Cybersecurity for Smart Inverters from the US National Institute of Standards and Technology (NIST)
- Cybersecurity Baselines for Electric Distribution Systems and DER from the National Association of Regulatory Utility Commissioners (NARUC)
- The Distributed Energy Resource Cybersecurity Framework from the US National Renewable Energy Laboratory (NREL)
Some key points from these documents and industry experts include vetting the security of the product and services providers. Things like fire safety, cybersecurity, such as if it’s protected from remote access, or where your data is stored, Sadot says. He suggests asking the installer questions about who else has access to your data and control of your devices, where the data is stored, and how they are protecting it. A US Cybersecurity and Infrastructure Security Agency (CISA) document has a list of questions to ask providers about their security standing.
Assign security responsibilities to capable staff. They might be IT, OT, or a dedicated security team. The organization may also look for services providers.
Use strong access control and authentication practices. Change all default passwords and credentials that are preconfigured on the device. Use multi-factor authentication (MFA) for access to those devices and related accounts. Create, modify, or delete roles, credentials, and permissions as needed. Implement role-based access control (RBAC) so that only staff assigned to perform needed tasks have permission to do so. Inverters might have roles for installers, the electric utility, third-party operators, and staff responsible for maintaining the DER.
Configure the event log capturing data that would be needed should a security event occur. Inverter event logs will provide critical information that will help security teams analyze an unexpected event. This includes:
- All user authentication attempts along with the identities associated with them
- Changes to the smart inverter configuration settings including the identities of those making them
- The creation or deletion of user accounts
- Software and firmware update records and whether the update was manual or automated
- All communications such as loss of connectivity or connections to a network
- Actions made directly from the inverter’s control panel
Monitor the event log and key network activity to watch for anomalies and to ensure that it is collecting and storing logs correctly and the communications connections to ensure they remain secure. “Many organizations lack real-time awareness of their OT network traffic, making detection and response difficult,” says Jeppson.
Protect all communications connections. A smart inverter might connect with the device manufacturer, a third-party operator, an electric utility, or other devices at the location. Common practices for protecting communications include:
- Use a dedicated cellular connection for inverter-to-utility connections.
- Restrict communications with the system owner to the inverter’s control panel.
- Perform updates using a portable storage device such as a USB drive.
- Separate the inverter from other network activity. “Too many systems remain flat, increasing the attack surface,” says Jeppson.
Keep the software and firmware updated. Boonstra recommends following good asset and patch management practices, knowing what versions of software you are running, and checking it against vulnerability databases.
Keep regular backups of the system and test their integrity. “Be prepared. Have backups. Test your backups. Test your emergency plan,” says Boonstra. He also recommends not installing backups locally and conducting penetration testing exercises on the DER.
Disable features that are no longer used. This might include remote access protocols, guest or anonymous user access, or wireless communications.
Remove the smart inverter from the system when no longer needed. Attackers love connected but forgotten IoT devices as they decrease their chances of discovery.